The Use of Personal Digital Assistants Poses Significant
Security Risks

July 2004

Reference Number:† 2004-20-126

This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.

This
report presents the results of our review of controls over Personal Digital
Assistants (PDA).† The overall objective
of this review was to determine whether the Internal Revenue Service (IRS) had
implemented effective policies and procedures to adequately control the
purchase, distribution, and use of PDAs.

Since the early 1990s, PDAs
have become increasingly popular due to their portability and computing
capabilities.† PDAs can perform many of
the same functions as laptop computers, but they lack multiple security
controls that are available for laptops and other computers.† The portability of PDAs and their capacity
to store sensitive data pose significant security risks for the IRS.† To minimize the risks, the IRS requires that
only PDAs certified as having adequate security capabilities be purchased and
that the Chief Information Officer (CIO) approve all purchases.

In summary, the IRS has
purchased 427 PDAs for key personnel who may be directly involved in ensuring
the continuity of operations during an emergency.† These PDAs encrypt data, were certified as secure, and were
approved by the CIO.†

However, the IRS has over
2,000 uncertified PDAs that can connect to the IRS network.† Without the approval of the CIO, business
units purchased the PDAs as a business tool for managers and employees to use
while traveling.† When synchronized to a
network computer, the PDAs provide a backdoor into the network and bypass many
of the existing security detection controls.†
Since these PDAs do not encrypt data, they could provide access to
sensitive information, such as taxpayer data, if lost or stolen.

We could not account for the
PDAs that had been purchased by the business units because the business units
did not maintain inventories and distribution records for these devices.† As an alternative, we used IRS software that
scanned the network to identify computers depicting PDA synchronization
software.† We tested 125 computers in 4
locations and found that several employees and contractors had installed
unauthorized software to allow them to connect their personal PDAs to the IRS
network.† Some PDAs contained
unencrypted sensitive information, such as step-by-step instructions for
allowing access to large IRS databases containing taxpayer information and
systems used to process travel vouchers.

Approximately 85 percent of
the employees in our sample did not make use of the password feature available
on their PDAs.† In general, employees
were not aware of the sensitivity of the information they had placed on their
PDAs.† None of the IRS employees in our
sample had been provided any information regarding the risks of using PDAs and
the controls necessary to reduce the risks.†

We recommended the CIO
establish firm procedures and time periods to either replace or upgrade PDAs
with a solution certified by the Chief, Mission Assurance. †Those PDAs that remain in use should be inventoried and
monitored for compliance with security controls. †We also recommended that the CIO continue to
scan the network to identify and remove unauthorized synchronization software,
and periodically remind employees and contractors of the risks associated with
PDAs and the procedures they should take to minimize risk.

Managementís Response:† The CIO
concurred with our recommendations and will implement actions to ensure PDAs
connected to the IRS network are in compliance with appropriate security
controls.† The CIO will select a
security package that has password and encryption capabilities and establish a
process for removing or replacing all uncertified PDAs on the IRS network.

Also, the End User Equipment
and Services (EUES) organization will conduct a semiannual scan of IRS networks
to identify workstations that have synchronization software and issue a report
identifying the users and their locations.†
A member of the EUES staff will be assigned the responsibility of
removing all unauthorized synchronization software and uncertified PDAs from
the IRS network.† In addition, employees
and contractors will be informed about the risks associated with PDAs and the
prohibition against connecting personal equipment to the IRS Intranet and
network.† Managementís complete response
to the draft report is included as Appendix IV.

Please contact
me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems
Programs), at (202) 622-8510.

Since the early 1990s, the Personal Digital Assistant (PDA)
has evolved from being a device of very limited function, compatibility, and
capacity to being a highly functional extension of a userís desktop
environment.† Capacity, connection
options, and processing power have all increased dramatically, while the
applications and uses for PDAs are becoming increasingly complex.† At the same time, decreasing prices and the
increasing use of multifunction devices are helping fuel the rapid
proliferation of PDAs.

In spite of their popularity and potential productivity
benefits, PDAs pose risks to an organizationís security.† The very portability that makes a PDA so
useful and attractive to its users threatens security.† It increases the PDAís vulnerability to
theft or loss and makes it a highly portable tool for circumventing security
from within an organization.† A study showed
approximately 250,000 handheld devices were left behind or lost in United
States airports in 2001.† Most of those
devices likely contained information useful to hackers and others with no need
to know proprietary information.

PDAs generally lack the security self-protection
capabilities that are available for other computers, thereby causing concern
over the protection of sensitive material downloaded to a PDA.† When PDAs are purchased, user authentication
is generally not enabled; if user authentication is enabled, it may be weak or
easily circumvented.† Also, information
on PDAs is usually not automatically encrypted, making encryption the
responsibility of the user.††

PDAs that offer wireless communication capabilities
generally increase the security risk to organizations.† Wireless transmissions may be intercepted
and, if inadequately encrypted, reveal their contents.† The cellular capabilities of some recent
PDAs are a significant reason for concern.†
PDAs could be connected to an organizationís network or a desktop
computer and at the same time be connected to some nonsecure network, providing
an unsecured conduit into the organization by circumventing the organizationís
firewall.† In addition, viruses and
other malicious software that attack the PDA itself are beginning to emerge and
can be expected to proliferate as the PDA platform continues to become more
compatible with, and connected to, more common target systems.†

This review was performed at the Internal Revenue Service
(IRS) National Headquarters in Washington D.C., and the IRS offices in New
Carrollton, Maryland; New York, New York; and Oakland, California, during the
period January through February 2004.†
We reviewed PDAs in the Wage and Investment, Small Business/Self-Employed,
Large and Mid-Size Business, and Tax Exempt and Government Entities Divisions
and in the Agency-Wide Shared Services function.

The audit was conducted in accordance with Government Auditing Standards.† Detailed
information on our audit objective, scope, and methodology is presented in Appendix
I.† Major contributors to the report are
listed in Appendix II.

In May 2003, the Chief Information Officer (CIO) expressed
concern over the proliferation of PDAs within the IRS, including both Federal
Government and personally owned devices.†
The CIO believed actions were needed to establish control of the
devices, manage the risks associated with them, and enforce existing security
prohibitions.† To minimize the risks,
the IRS requires that only PDAs certified as having adequate security
capabilities be purchased and that the CIO approve all purchases.

However, these procedures have not been effective in adequately
controlling the use of PDAs.† We noted
the following conditions:

∑Purchases of PDAs were not properly authorized.

PDAs
were not properly controlled and inventoried.

Employees
did not follow security procedures when using PDAs.

These conditions increase the risk that unauthorized persons
could access the IRS network to disrupt operations or steal taxpayer
information.† Lost or stolen PDAs could
also provide access to unencrypted sensitive information.†

Purchases
of PDAs were not properly authorized

TheIRS permits the use of a PDA for any
employee with a business reason, provided the PDA is certified, accredited, and
capable of encrypting transmissions.†
The IRS has purchased 427 PDAs for key personnel who may be directly
involved in ensuring the continuity of operations during an emergency.† These PDAs provide real-time email
capabilities, encrypt data, were certified as secure, and were approved by the
CIO as required.†

However, the CIO estimates the IRS has over 2,000
uncertified PDAs that can connect to the IRS network.† Business units purchased the uncertified PDAs without the prior
approval of the CIO and bypassed existing procedures to purchase PDAs for
managers and employees to use while traveling.†
We found no documentation that business units assessed the security
risks before purchasing the PDAs.†

PDAs were not properly controlled and inventoried

We could not account for the PDAs that had been purchased by
the business units because the business units did not maintain inventories and
distribution records for these devices.†
IRS inventory analysts stated that the cost of individual PDAs was not
considered substantial enough to warrant creation of a PDA inventory.

IRS procedures require that all sensitive equipment be
inventoried, no matter the cost.†
Particularly because of their inherent risks, PDAs should have been
inventoried regardless of costs.†

Employees did not follow security procedures when using
PDAs

We judgmentally selected 125 computers in 4 locations that
had been identified as having PDA synchronization software.† We confirmed 88 employees had PDAs that were
used to access the IRS network.† Several
of the PDAs we reviewed contained unencrypted sensitive but unclassified
data.† For example, four PDAs contained
sensitive IRS data, such as step-by-step instructions for allowing access to
large IRS databases containing taxpayer information and systems used to process
travel vouchers.† Another PDA stored a 100-page
crisis communications plan that contained IRS employee and building information.† Other PDAs included email attachments
referencing a Limited Official Use Memorandum of Understanding and a CIO
database.

In our sample, 75 (85 percent) of 88 employees did not make
use of the password feature available on their PDAs.† In addition, many employees were generally not aware of the
sensitivity of the information, such as emails, that they had placed on their
PDAs.† We learned that IRS PDA users
often set their PDA email function to automatically download their inbox to the
unsecured PDA each time they connect to the network.† This practice increased the risk that sensitive data could be
inadvertently placed on the PDA.

We determined that, in addition to those PDAs purchased by
the business units, employees and contractors had connected their personal PDAs
to the IRS network.† Twelve IRS
employees or contractors were using personal PDAs, and five employees or
contractors had installed their own synchronization software onto IRS
computers.† Three employees or
contractors had computers with unauthorized wireless and/or cell phone software
installed.

Also, we identified the following three potential integrity
issues that will be referred to the Treasury Inspector General for Tax
Administration Office of Investigations for further review:

∑A contractor had self-installed synchronization
software onto his or her desktop to enable the contractor to use an
unauthorized PDA with this computer.† The synchronization log indicated the
contractor had downloaded two pornographic Internet web sites onto the
PDA.† In addition, the contractor had installed unauthorized software on this
desktop that allowed him or her to communicate outside the IRS network via a
modem, a high-risk practice specifically prohibited by the IRS.† A telephone line had been connected directly
to this desktop computer, indicating the contractor may have used the modem.

∑A contractor with synchronization software installed on
his or her desktop claimed he or she never used the software.† Upon review of the synchronization log, we
noted synchronization occurred on September 3, 2003.† The contractor stated he or she was on vacation at that time,
left the PDA in the cradle, and did not know who used the desktop and
synchronization software.

∑One laptop was loaned out to an employee without
removal of the synchronization software, providing the employee the opportunity
to connect a personal PDA or other unauthorized device to the laptop.

Business
units did not provide employees with guidance on how to use the PDAs in a
secure manner.† None of the IRS
employees in our sample were given any information regarding the risks of using
PDAs and the controls necessary to reduce the risks.†

In December 2003, the CIO sent a draft memorandum to the
business units reminding them of the security risks associated with PDAs and
the need to protect sensitive data. The CIO encouraged business units to
purchase the PDA currently certified for use if real-time email capabilities
were required.† For those employees not
requiring that capability, the CIO indicated uncertified PDAs currently in use
could continue to be used until a certified device could replace them.† No specific procedures or time periods were
provided for accomplishing these actions.

1.Establish firm measures and time periods to either replace
or upgrade PDAs with a solution certified by the Chief, Mission Assurance.†

Managementís Response:† The CIO will
select a security package with password and encryption capabilities and
establish a process (including measures and time periods) for removing or
replacing existing PDAs on the network that are not certified.

2.Inventory and monitor all PDAs in use for compliance with
security controls.†

Managementís Response:† The Director, End
User Equipment and Services (EUES), has assigned a Contracting Officerís
Technical Representative to inventory all PDAs now in use.† The EUES organization will scan the network
to confirm that all PDAs connected to the network comply with security controls.

3.Continue to scan the network to identify computers with
synchronization software and follow up to determine whether personal PDAs are
being used.† Unauthorized
synchronization software should be removed from networked computers.

Managementís Response:† The EUES
organization will conduct a semiannual scan of the IRS networks, identify the
workstations that have synchronization software, and issue a report that
matches the assigned user and location of the workstation.† The report will be distributed to the EUES
organization Area Directors, who will designate a staff member to take
appropriate action to remove all unauthorized synchronization software and
wireless devices from the network.

4.Periodically remind employees and contractors that
connecting personal equipment, such as PDAs, to the IRS network is
prohibited.†

Managementís Response:† The Modernization
and Information Technology Services organization will inform employees and
contractors, when it provides initial service, that connecting personal
equipment to the IRS Intranet and network is prohibited.† In addition, the Director of Assurance
Programs in the Office of Mission Assurance incorporated PDA training in the
Annual Security Awareness Program for Calendar Year 2004, advising employees
that connecting personal equipment such as PDAs to the IRS network is
prohibited.† This is ongoing training
that was scheduled to begin in late June 2004.†
The Director of Assurance Programs will also coordinate with the Procurement
function in the Agency-Wide Shared Services organization to identify the means
to effectively communicate reminders to contractors that connecting personal
equipment, such as PDAs, to the IRS network is prohibited.

5.Provide
training to those employees with authorized PDAs and advise them of the risks
associated with PDAs.† The training
should address the need for using passwords and encrypting sensitive data.

Managementís Response:† The EUES
organization will inform employees about the risks associated with PDAs when it
provides them with initial service.†
Also, the Director of Assurance Programs has incorporated PDA training
in the Annual Security Awareness Program for Calendar Year 2004.† The training advises employees of the
associated risks and the need for using passwords and encrypting sensitive
data.† Training was scheduled to begin
in late June 2004.

The
overall objective of this review was to determine whether the Internal Revenue Service
(IRS) had implemented effective policies and procedures to adequately control
the purchase, distribution, and use of Personal Digital Assistants (PDA). †

I.To determine whether IRS
management had established sufficient policies, procedures, and guidelines to
ensure PDAs were used in a secure manner, we:

A.Reviewed all current policies
and procedures to determine whether there were specific criteria and standards
for the use of PDAs and whether security controls pertaining to sensitive but
unclassified information and emails were adequate.

B.Evaluated the types of
security risks PDA use poses to the IRS network.

C.Using TIVOLIģ
software to scan the IRS network, identified a population of 2,565 computers
with PDA synchronization software installed and judgmentally selected 4 IRS
offices (sites) based on which locations had among the highest numbers of
computers with PDA software.† We chose a
judgmental sample for efficiency and because we did not plan to project
results.† The four sites selected were
IRS Headquarters, Washington, D.C.; New Carrollton, Maryland; New York, New
York; and Oakland, California.

D.Interviewed End User
Equipment and Services organization and Modernization and Information
Technology Services (MITS) organization Territory Managers at the four sites to
determine whether requirements for the use of PDAs were disseminated to PDA
users and whether PDA users had been provided training on the reduction of
risks relative to PDAs.

E.Judgmentally selected 30
computers at 3 sites and 35 at a fourth site, for a total of 125 computers,
from the 2,565 computers identified by the TIVOLIģ software and
confirmed that 88 of those employees and contractors still had PDAs.† We interviewed the 88 PDA users identified
by the TIVOLIģ scan at the 4 sites to determine how they used PDAs
and what information they stored on their PDAs.† We also evaluated their PDAs, synchronization software, and logs
to determine what PDA functions were used and whether sensitive but
unclassified information was stored on the PDAs.

II.To determine whether controls
were adequate to account for all PDAs received and distributed, we: